Lucene search

K
ubuntucveUbuntu.comUB:CVE-2018-5378
HistoryFeb 13, 2018 - 12:00 a.m.

CVE-2018-5378

2018-02-1300:00:00
ubuntu.com
ubuntu.com
19
quagga bgp daemon
data bounds check
vulnerability
version 1.2.3
arbitrary data
peer
process crash

CVSS2

4.9

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:S/C:P/I:N/A:P

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H

EPSS

0.575

Percentile

97.7%

The Quagga BGP daemon (bgpd) prior to version 1.2.3 does not properly
bounds check the data sent with a NOTIFY to a peer, if an attribute length
is invalid. Arbitrary data from the bgpd process may be sent over the
network to a peer and/or bgpd may crash.

Notes

Author Note
mdeslaur this is Quagga-2018-0543
OSVersionArchitecturePackageVersionFilename
ubuntu17.10noarchquagga< 1.1.1-3ubuntu0.2UNKNOWN

CVSS2

4.9

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:S/C:P/I:N/A:P

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H

EPSS

0.575

Percentile

97.7%